DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

West Virginia Supreme Court affirms HIPAA does not pre-empt state law tort claims for privacy violations

Posted on December 7, 2012 by Dissent

I seem to have missed a lawsuit that may be of interest to readers.  Back in September, Bordas & Bordas, PLLC  wrote:

… What if our private information is released without our permission? What if it falls into the hands of someone who can actually cause us harm?

These aren’t abstract or hypothetical questions. The danger is real, and there’s a case before the West Virginia Supreme Court that shows us just how real it is R.K. vs. St. Mary’s Medical Center, Inc., No. 11-0924.

Consider these facts. R.K. was admitted to St. Mary’s Medical Center for a psychiatric illness. R.K. was also going through a divorce. During his hospitalization, employees of the hospital illegally accessed his private medical records. To add insult to injury, they proceeded to provide copies of the records to R.K.’s wife and divorce attorney. R.K. sued the hospital, alleging a wide variety of state-law claims.

Amazingly, the hospital managed to get the lawsuit dismissed by arguing that since HIPAA doesn’t provide for a private cause of action, there can be no state-level private cause of action for a privacy violation of this kind.

That’s just plain wrong, of course, and R.K. appealed the dismissal in September.  Yesterday, Bordas & Bordas provided a welcome update:

You may remember that in R. K. vs. St. Mary’s Medical Center, Inc., 2012 WL 5834577, a hospital employee illegally accessed the plaintiff’s psychiatric records and then forwarded them to the plaintiff’s estranged wife and her divorce attorney. The plaintiff sued the hospital, claiming that state law provided a remedy for this scandalous behavior. The hospital asked the trial court to dismiss the case, arguing that HIPAA preempted any and all state laws relating to medical rights privacy. Because HIPAA itself didn’t provide a remedy the hospital was, in reality, asking for a free pass.

Thankfully, the West Virginia Supreme Court refused to accept the hospital’s bizarre argument. Even though HIPAA is meant to protect privacy rights, the hospital was twisting it to mean that HIPAA violations would go unpunished. This interpretation was rejected out of hand:

[S]tate common law claims for the wrongful disclosure of medical or personal health information are not inconsistent with HIPAA. Rather, …such state law claims complement HIPAA by enhancing the penalties for its violation and thereby encouraging HIPAA compliance. Accordingly, we now hold that common law tort claims based upon the wrongful disclosure of medical or personal health information are not preempted by the Health Insurance Portability and Accountability Act of 1996.

Here’s the court’s opinion of November 15 and Chief Justice Ketchum’s dissenting opinion.

No related posts.

Category: Health Data

Post navigation

← Stratfor hack update: Barrett Brown indicted
State Farm and Nationwide fail to convince WV Supreme Court to let them retain – and share – medical records obtained under protective orders →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • 70% of healthcare cyberattacks result in delayed patient care, report finds
  • Police disrupt “Diskstation” ransomware gang attacking NAS devices
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • Mississippi Law Firm Sues Cyber Insurer Over Coverage for Scam
  • Ukrainian Hackers Wipe 47TB of Data from Top Russian Military Drone Supplier
  • Computer Whiz Gets Suspended Sentence over 2019 Revenue Agency Data Breach
  • Ministry of Defence data breach timeline
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan
  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents
  • Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act​
  • Fourth Circuit upholds West Virginia ban on abortion pills
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)
  • A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.